Friday, December 20, 2013

Snakeoil vs. bounties

A "bounty" is what trustworthy companies offer hackers who break their stuff. This is not to be confused with "prizes", where companies create absurd challenges for hackers to break their stuff, but with rules that mean hackers will never win. Trustworthy companies are those who regularly have to pay out on the bounties, untrustworthy companies selling snakeoil don't pay out.

I mention this because of this press release saying:
"A challenge was issued to top hackers a week ago to break into secure cloud service, [XXXXX] for $25,000. 700 hackers from 49 countries already took up the hacking challenge, hailing from top universities like MIT, Stanford and Princeton and corporations like Vodafone and Tata Consulting."
This is nonsense. The contest isn't for their cloud service. Instead, the contest is for a separate, contest-specific network. It's a trick. It narrows the challenge to focus on the most secure part of their system only -- the part they know is secure. But hackers don't exploit the strongest part of any system, that would be stupid. Instead, hackers target the weakest link in the network, the part which isn't included in the contest.

In contrast, the bounty system of other companies puts everything under the microscope. It's totally out of their control what the hackers might hack. Since security is so hard, they often have to pay out. For example Google Chrome is the most trusted, secure browser precisely because it's had to pay out the most in bounties -- not because they had invalid contest constructed so they would never have to pay out.

A company that offers a $25k vulnerability bounty is trustworthy -- a company offering a $25k prize for some weird challenge isn't trustworthy at all. Either they are knowingly deceiving you, or are too stupid to understand that their challenge has no merit. Either answer means you should not trust them. They are not a security company that has won the respect of security professionals, they are a marketing company trying to hoodwink you.

No comments: